Just curious: why is Nod32 trying to send nonexisting files for analysis?

[TonyKlein]

On two or three occasions, usually on reboot after imaging my drive (and I don't mean restoring an image) Nod32 has alerted me to a few suspicious files (always the same ones) it would like me to send in for analysis.

Log entries after doing so:

Quote:

20-6-2005 20:18:26 Kernel The file 'C:\DOCUME~1\MIKEDW~1.JAC\LOCALS~1\Temp\bjazpu.exe' has been sent to Eset's labs for analysis.
20-6-2005 20:18:26 Kernel The file 'C:\WINNT\System32\wscntfy.exe' has been sent to Eset's labs for analysis.

Now I have a few problems with that:

First of all, I was completely unable to find any trace of those files and besides, I know I'm not infected...

What's even stranger, I don't HAVE a Docs and Settings\Mike something folder, and, as I'm running XP Pro, I don't even have a C:\Winnt folder either... LOL

An on demand system scan always pronounces me clean.

Now in the past I frequently used to download and test malware, but even that doesn't begin to explain (at least to me it doesn't) why Nod32 was/is finding those files, especially in folders that don't exist...

Can anyone shed some light on this, please (just curious...)

I hope you'll get an answer from ESET, Ton.

Lately I find the support from ESET very bad, and I seriously consider to dump the whole program

Take care my old friend !!!

Cheers, Jan.

[TonyKlein]

Hi Jan!

I detect some bitterness there...

Personally, I have to say I'm still pretty pleased with this latest version of Nod32, and I expect this to be a harmless, although weird little quirk...

[Mike415]

Try enabling the view of hidden files and folders...

[TonyKlein]

I know about un-hiding files and folders...

But please read what I wrote: my system folder is C:\Windows\System32 - I don't HAVE a Winnt folder, and being the only user of this computer, I'd certainly know it if there was a 'Mike' there as well.

The folders do not exist on my computer

[Marcos]

To FanJ:
I really don't know who did you contact because we at Eset in Slovakia respond to every email that arrives. Please send me a PM with more details such as what address you sent it to, or simly PM me your inquiry. I'll be happy to respond instantly, but please take into account that we, at Slovakia, are in a different time zone.

To TonyKlein:
I assume the folder c:\winnt was created by a trojan which was subsequently moved by AMON to quarantine (default setting). The same goes for the file in the temp folder.

[TonyKlein]

Quote:

Originally Posted by Marcos

I assume the folder c:\winnt was created by a trojan which was subsequently moved by AMON to quarantine (default setting). The same goes for the file in the temp folder.

'
Hi Marcos,

After receiving the first alert, although mighty surprised, I immediately proceeded to search for the files, but, not unexpectedly, i really didn't have the Winnt folder then either.
File nor folder were there in the first place, nor do I remember Amon quarantining or catching anything beforehand.
In any case, the Quarantine folder was empty (I now remember I checked it...)

As for the file in the Temp folder, am I to assume the trojan first created a brand new user profile by the name of Mike something all by itself before subsequently installing itself in it's Local Settings\Temp folder?

And that subsequently Amon not only deleted/quarantained the infected files but got rid of those folders as well, leaving no trace?

Pretty much unheard of, if you ask me...

[TonyKlein]

... also, if Amon ever quarantined, detected or removed any of these files, there should be some entry in the logs, I should think... which there isn't.

[Marcos]

Isn't there anything mentioned in the Threat log?

From time to time, I'm trying to infect my testing machine with 10-20 trojans at a time and AMON has never done anything strange.

Quote:

Originally Posted by Marcos

To FanJ:
I really don't know who did you contact because we at Eset in Slovakia respond to every email that arrives. Please send me a PM with more details such as what address you sent it to, or simly PM me your inquiry. I'll be happy to respond instantly, but please take into account that we, at Slovakia, are in a different time zone.

Hi Marcos,

I will let you know.
Looking forward to your reply.

I don't want to hijack Tony's thread any further.
Sorry Ton !!!

Jan.

[TonyKlein]

Entire log (I've been trying out some stuff... LOL)

Quote:

Time Module Object Name Threat Action User Information
21-6-2005 23:31:25 AMON file C:\Documents and Settings\Ton\Local Settings\Temporary Internet Files\Content.IE5\H6LB52T5\start[1].htm VBS/TrojanDownloader.Phel.D trojan deleted ANTHONY\Ton Event occurred at an attempt to access the file by the application: C:\Program Files\Quick View Plus\Program\qvp32.exe.
21-6-2005 23:30:30 AMON file C:\Documents and Settings\Ton\Local Settings\Temporary Internet Files\Content.IE5\H6LB52T5\start[1].htm VBS/TrojanDownloader.Phel.D trojan ANTHONY\Ton Event occurred at an attempt to access the file by the application: C:\Program Files\Quick View Plus\Program\qvp32.exe.
21-6-2005 23:28:39 AMON file C:\Documents and Settings\Ton\Local Settings\Temporary Internet Files\Content.IE5\H6LB52T5\start[1].htm VBS/TrojanDownloader.Phel.D trojan ANTHONY\Ton Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
21-6-2005 23:28:38 AMON file C:\Documents and Settings\Ton\Local Settings\Temporary Internet Files\Content.IE5\HLGW3A5R\last[1].htm VBS/Exploit.Phel.A trojan ANTHONY\Ton Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe.
21-6-2005 23:28:36 IMON file VBS/TrojanDownloader.Phel.D trojan ANTHONY\Ton
21-6-2005 23:28:21 IMON file VBS/Exploit.Phel.A trojan ANTHONY\Ton
21-6-2005 22:32:10 IMON file Java/Exploit.Bytverify.F trojan Connection terminated ANTHONY\Ton
21-6-2005 22:32:07 IMON file Java/Exploit.Bytverify.F trojan Connection terminated ANTHONY\Ton
21-6-2005 22:32:06 IMON file VBS/Psyme.AP trojan Connection terminated ANTHONY\Ton
21-6-2005 22:32:05 IMON archive multiple infiltrations Connection terminated ANTHONY\Ton
21-6-2005 22:32:05 IMON file Java/Exploit.Bytverify.F trojan Connection terminated ANTHONY\Ton
21-6-2005 22:32:04 IMON file VBS/Exploit.Phel.A trojan Connection terminated ANTHONY\Ton
21-6-2005 22:32:04 IMON file HTML/Mht.AP Exploit Connection terminated ANTHONY\Ton
21-6-2005 22:31:06 IMON archive multiple infiltrations ANTHONY\Ton
21-6-2005 21:10:18 IMON archive Win32/Agent.CS trojan ANTHONY\Ton
18-6-2005 10:29:02 AMON file C:\Program Files\AT\TDS3\xDynamic\TDS.Unpk\start.exe Win32/Adware.ISTbar application deleted ANTHONY\Ton Event occurred on a new file created by the application: C:\Program Files\AT\TDS3\tds-3.exe.
13-6-2005 16:36:11 AMON file C:\Program Files\AT\TDS3\xDynamic\TDS.Unpk\nx.exe Win32/Dialer.PRPXDial.A application NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\DOCUME~1\Ton\LOCALS~1\Temp\CQN.exe.
30-5-2005 23:22:07 IMON archive multiple infiltrations Connection terminated ANTHONY\Ton
29-5-2005 18:30:34 IMON file Win32/Adware.ImiBar application ANTHONY\Ton
29-5-2005 18:30:18 IMON file Win32/Adware.ImiBar application ANTHONY\Ton
29-5-2005 18:30:09 IMON file Win32/Adware.ImiBar application ANTHONY\Ton

(Log since I did a fresh install of the latest build, BTW, TDS3 folder now excluded from scanning...)

For Tony and Marcos:

Hi guys,
I will send you both in a few minutes an IM on this board; please do look at it

Warm regards, Jan.

[Marcos]

Well, could you please confirm you actually installed NOD32 on May 29 as it is the very earliest date in your log?

[TonyKlein]

Not 110% sure, but close to that date, at least.

However, I'm not sure that's even relevant to this problem, as round the time I got that latest prompt (four days ago) I turned my machine upside down, but of course there were no such folders or files to be found.
So how can Nod32 be sending in nonexistent files from nonexistent folders (as the log says it did), moreover without as much as a squeak from Amon prior, during or after the event?

And where did these mysterious files go, if they were neither quarantined nor deleted, and I'm not even mentioning the folders in question?

I's not a big deal to me, but it's weird nonetheless.

Were it to happen again (one never knows...) I'll be sure to post here right away...

[TonyKlein]

OK, I removed all 'bad' links from my Threat Log (thanks, Jan! )